It’s 2014. Does anyone in the domain name business still fall for phishing attacks?

Apparently, yes, ICANN staff do.

ICANN has revealed that “several” staff members fell prey to a spear-phishing attack last month, resulting in the theft of potentially hundreds of user credentials and unauthorized access to at least one Governmental Advisory Committee web page.

According to ICANN, the phishers were able to gather the email passwords of staff members, then used them to access the Centralized Zone Data Service.

CZDS is the clearinghouse for all zone files belonging to new gTLD registries. The data it stores isn’t especially sensitive — the files are archives, not live, functional copies — and the barrier to signing up for access legitimately is pretty low.

But CZDS users’ contact information and login credentials — including, as a matter of disclosure, mine — were also accessed.

While the stolen passwords were encrypted, ICANN is still forcing all CZDS users to reset their passwords as a precaution. The organization said in a statement:

The attacker obtained administrative access to all files in the CZDS. This included copies of the zone files in the system, as well as information entered by users such as name, postal address, email address, fax and telephone numbers, username, and password. Although the passwords were stored as salted cryptographic hashes, we have deactivated all CZDS passwords as a precaution. Users may request a new password at czds.icann.org. We suggest that CZDS users take appropriate steps to protect any other online accounts for which they might have used the same username and/or password. ICANN is providing notices to the CZDS users whose personal information may have been compromised.

As a victim, this doesn’t worry me a lot. My contact details are all in the public Whois and published on this very web site, but I can imagine other victims might not want their home address, phone number and the like in the hands of ne’er-do-wells.

It’s the second time CZDS has been compromised this year. Back in April, a coding error led to a privilege escalation vulnerability that was exploited to view requests by users to new gTLD registries.

Also accessed by the phishers this time around were several pages on the GAC wiki, which is about as interesting as it sounds (ie, not very). ICANN said the only non-public information that was viewed was a “members-only index page”.

User accounts on the ICANN blog and its Whois information portal were also accessed, but apparently no damage was caused.

In summary, the hackers seem to have stolen quite a lot of information they could have easily obtained legitimately, along with some passwords that may allow them to cause further mischief if they can be decrypted.

It’s embarrassing for ICANN, of course, especially for the staff members gullible enough to fall for the attack.

While the phishers made their emails appear to come from ICANN’s own domain, presumably their victims would have had to click through to a web page with a non-ICANN domain in the address bar order to hand over their passwords.

That’s not the kind of practice you’d expect from the people tasked with running the domain name industry.

Someone was clearly able to trick via targeted “spear phish” credentials out of someone from a smaller group of people sophisticated in the art of domain names (ICANN).

It stands to logic that a much larger demographic (say 100M+ ish) registrants who are much less sophisticated in the art of knowing better would have a bigger pool of people to be fooled into giving up their credentials at their registrar.

Think about it… the RRA requires a response, or the name gets deactivated. A call to action that cannot be ignored. A prime target for a “spear phisher”.

If you add in to the mix that
a] zone file comparison between day 1 and day 2 gives you a list of new names
+
b] requirement of accurate contact information
+
c] thick whois requirements
+
d] public, free, reasonably anonymouse access to whois data
+
e] registrar name included in that whois data
+
f] contact name or other specific details of registrant in that whois data (phone number, company name, address)
+
g] email address of contact (likely the account holder in the majority of circumstances) in the whois data
+
h] message that you must click to affirm or lose your domain name

Let us call the perp of the phishing attach the a-h … (perfect, isn’t it?)

Seems like when you stack up all the perfect storm of ingredients that the RRA provision introduced, the a-h has been provided a wealthy vein of predatory opportunity by the RRA.

Just saying… It seems like the consideration of harms introduced to registrants and registrars were perhaps overlooked on this provision to the RRA.

John Berryhill is right in spirit. The requirement to keep current and accurate WHOIS contact info, at the risk losing your domain name, is a terrible mandate. The privacy of individual registrants is sacrificed in order to pander to the most powerful ICANN stakeholders. Registrars are often lazy and not overly concerned about security and just take the easy way out by sending these emails with links.

The ongoing trend of eliminating any semblance of privacy in the domain name system has encouraged bad behaviors from registrars like sending emails with links so that compliance rates seem respectable, and the sale of “privacy registrations” – both horrible practices! While the registrars are the specific source of this problem, we should remember that they do just enough to minimize their liability and keep out of trouble with ICANN, who tacitly endorses these activities.

And let’s not rush to fix the wrong thing. 2 factor auth will not address the root cause of the problems. Making compliance harder means that registrants have an even greater chance of being out of compliance, giving their registrar an excuse to take possession of their names.

I don’t think it’s that registrars are “lazy” at all, it’s just a hard issue to balance.

Especially as most registrars have some kind of resellers even if unofficially (e.g. customer registers domains for friends etc).

So, if you do that you have the issue that the registrant can’t actually login and submit the code manually and then there’s also the issue of revealing the registrar brand to the registrant, which isn’t ideal for the reseller.

So the other option, a generic domain which users have to click or be told to visit and enter a code.

Either way, unless you strictly only sell to end-user registrants AND you only operate one brand – It’s near impossible to do well.

… Then there’s also the issue that customers are lazy and if they have to do more than click a link will put it off, then wonder why their registrar dared to disable their domain.